Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
Enhanced Response Action Experience from Threat Explorer
Published May 08 2024 10:31 AM 3,287 Views
Microsoft

Empowering SecOps with the ability to submit, block, kick off investigations and delete emails in bulk with a single action wizard within Explorer. - Rolling out now!

 

Last year December we published a blog post, where we announced a new Take action feature in the Email Entity and Email Summary panel that lets you take multiple actions at once from a single wizard. This feature makes it easier and faster for SecOps to deal with email threats by giving you logical grouping of actions, contextual availability of actions, and support for tenant level block URLs and files. Overall, we received very positive and encouraging responses on the value it adds for our customers and the ease of use of this flow.

We are very excited to announce that we are now expanding this feature to Threat explorer, where you can apply the same strong and convenient actions to more than one email message at once. Also, Tenant level URL/ file / sender and domain blocks available directly from Threat explorer.

This feature improves Threat explorer’s effectiveness and makes it a more powerful tool for security admins to detect, identify, and remediate threats quickly!

 

 

Take Action button from Threat explorer!Take Action button from Threat explorer!

 

 

Advantages of the new Take action feature

The new Take action feature offers several benefits for security analysts, such as:

  • It allows you to swiftly and efficiently remove email threats by letting you take multiple actions at once on up to 100 emails. If you need to do bulk email remediation for more than 100 and up to 200,000 emails, this new wizard will help you do that in a structured way.
  • It reduces the number of clicks and steps required to execute single and bulk email actions from Threat explorer.
  • It allows you to block malicious URLs or files at the tenant level (Tenant Allow Block List (TABL)) directly from Threat explorer, without having to go to another page (new addition!!).
  • Some of the actions are not available based on the current location of the message, but if there is a conflict, SecOps can use toggle choices to turn them on/off as desired and take proper action.

How it works  

To use the new Take action feature, follow these steps:

  • Go to Threat explorer and select the emails you would like to take action on.
    • Up to 100 email selection -

You can select up to 100 emails at a time.

Click on the “Take Action” button. Note that this button has replaced the previous “Message actions” drop-down menu.

 

Figure 1 Take action button.jpg

  •   More than 100 and up to 200,000 email selection

If the email selection from the previous page has more than 100 entries, you can only activate one action at a time and no additional contextual actions.

 

soumyamishra_1-1714737163985.png

 

  • A panel will open with the following options: Purge emails, Submit emails, Investigate emails, and Block URL/file. Some options may be grayed out depending on the latest delivery location of the emails. For example, you cannot purge emails that have been deleted or moved to another folder.
  • Figure 3.jpg

     By default, some actions are unavailable/grayed out based on the latest delivery location of the message. To show all available response actions, slide the toggle on. 

     

    Figure 4.jpg

     

  • If you select the Submit emails option, you will see a sub-option to confirm the emails as threats.  If you select this option, you will see another panel where you can choose to block the URLs or files associated with the emails at the tenant level. You can select multiple entities to block. 

Figure 5.jpg

 

 

  • If you select the Submit emails option, you will see a sub-option to confirm the emails as threats. By selecting this option, you will see another panel where you can choose to block the URLs or files associated with the emails at the tenant level. You can select multiple entities to block.
  • Review the actions you are going to take and click on the “Submit” button.
  • Track the status of the actions in the respective pages. For example, you can see the purged emails in the Action Center page, the submitted emails in the Submissions page, the investigated emails in the Automated investigations page, and the blocked entities in the Tenant allow/block lists page. Also, we have recently done enhancement where SOC teams have direct and in-line visibility into manual remediation, quarantine release etc. and system post-delivery actions like ZAP and reprocessed messages (for FP recovery) etc. in Threat Explorer’s result, read the blog for more.

We are gradually introducing this feature over the next few weeks. It is designed to help you strengthen your security and reduce your workload. We value your feedback and suggestions on how to make the action experience in Microsoft 365 Defender better. Please engage with Defender for Office 365 forum.

Learn more:

To learn more about Threat explorer and the new Take action feature, visit the following links:

Version history
Last update:
‎Jun 07 2024 10:30 AM
Updated by: